'Petya' ransomware, a cyber attack which is being originated from Ukraine has shown an unprecedented level of sophistication, which authorities believe, mainly spread through a malicious update to a small Ukrainian tax software company M.E. Doc's eponymous tax software program, which is widely used by accountants and businesses across Ukraine.

Much like the ‘WannaCry’ virus (May 2017), ‘Petya’ locks your computer and gives you a series of instructions that will eventually lead you to pay a $300 worth of Bitcoin credits. The important point to notice is that the ransomware hid undetected for 5 days before being triggered a day before a public Ukrainian holiday that celebrates the nation's ratification of a new constitution on June 28, 1996.

How 'Petya' Cripples the Network?

'Petya' attacks the Master Boot Record (MBR). It first reboots the computers and then encrypts the hard drive’s file table (MFT), which renders the MBR inoperable. From this point forwards, it restricts access to the system by seizing information of file names, sizes, and location on the physical disk. Finally, Petya replaces the computer’s MBR with its own code, which displays the ransom note once the system is powered up. It uses the EternalBlue/EternalRomance exploits that target vulnerable SMB installations to spread.

Aftermath:

During its second day of the attack, Danish shipping giant AP.Moller-Maersk A/S had to shut down its systems across just to contain the cyber attack against its computer network. It took nearly 5 days for the recovery and getting all its system back to online.

"We can, with great certainty, say that we have never experienced anything like this and therefore we are extremely excited to have achieved a milestone in the journey to be back fully online," - Statment issued by Maersk

Security researchers said Petya, VIRUS could jump from one computer to another computer once unleashed within an organization but, unlike WannaCry, it could not randomly trawl the internet for its next victims, limiting its scope to infect.

Other companies being affected by this virulent attack included BNP Paribas Real Estate (a part of the French bank that provides property and investment management services), Mondelez International Inc., (the global snack giant) - experienced a widespread IT outage and shut down its email system as a precaution against further exposure, forcing employees to work via mobile phones, text messages and personal email.

Russia's Rosneft, one of the world's biggest crude producers by volume, also claimed that they had suffered "serious consequences" but oil production had not been affected because it switched to backup systems.

The post-mortem, It's too Early

On June 4, Ivanti, a Utah-based IT management software solutions provider hosted a webinar focused on the latest global ransomware attack based on “Petya” malware. According to their experts, commenting on the second wave of the attack- Like the original Petya attack, the latest version encrypts the Windows Master Boot Record (MBR). It then schedules a reboot of the infected system, instead of rebooting immediately, after which system files are encrypted. The delayed reboot gives the attackers time to use that system as a “launch pad” to reach out to other connected systems.

Pseudonymous security researcher Grugqnoted that the original Petya “was a criminal enterprise for making money,” but that the second-wave “is definitely not designed to make money". Because the perpetrators, actually did not care much about receiving any payments as they didn't make any demands during the initials days after the attack.

However, on July 5, 2017, Motherboard first spotted a post, which was left on the Tor-only announcement service DeepPaste. In the message, the Petya attackers offered the private encryption key used in the attack in exchange for 100 bitcoin, the equivalent of over $250,000 at current rates. Crucially, the message includes a file signed with Petya’s private key, which is strong evidence that the message came from the group responsible for Petya.

It's too early too early to ascertain and jump on to conclusions, as various cyber security firms including Cisco Talos, Kaspersky Lab, and ESET, as well as the Ukrainian Police, yet to identify the perpetrators and the motive behind such attack.